无法从 Azure AD 中的已注册应用程序获取访问令牌
Unable to get Access Token from a registred application in Azure AD
我正尝试在块管理器中从 Microsoft.Graph 实例化一个新的 GraphServiceClient 实例。
已经做了什么:
- 创建 ASP.NET Core 2.0 控制台应用程序
- 从 Nugget 添加 Micrososft.Graph
- 在 Azure AD 门户中注册应用程序以获取应用程序密码 ID(应用程序密码)和应用程序 ID(客户端 ID)
- 从 Azure AD 门户检索租户 ID(目录 ID)
基本上,这是我的 ASP.NET Core 2.0 项目(控制台应用程序)的全部代码:
using Microsoft.Graph;
using Models;
using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.Net;
using System.Net.Http.Headers;
using System.Threading.Tasks;
namespace SendADUserListEmail.Services
{
// Response object from Azure AD
public class AzureADResponse
{
public string token_type { get; set; }
public int expires_in { get; set; }
public string access_token { get; set; }
}
/// <summary>
/// Micrososf Graph vs Azure AD Graph :
/// https://blogs.msdn.microsoft.com/aadgraphteam/2016/07/08/microsoft-graph-or-azure-ad-graph/
///
/// Introduction to the Azure Active Directory Graph API :
/// https://www.red-gate.com/simple-talk/cloud/security-and-compliance/azure-active-directory-part-5-graph-api/
///
/// ULTIMATE TUTORIAL ABOUT MICROSOFT GRAPH APIS
/// https://bytescout.com/blog/microsoft-graph-apis.html
///
/// Startup !!! TO READ !!! :
/// https://github.com/microsoftgraph/msgraph-sdk-dotnet
///
/// Creating the application Client ID and Client Secret from Microsoft Azure new portal
/// - Register an application on Azure Portal :
/// - 1. Accèder au portail
/// - 2. Inscription d'application
/// - 3. Voir Paramètres > Propriétés
/// https://www.netiq.com/communities/cool-solutions/creating-application-client-id-client-secret-microsoft-azure-new-portal/
///
/// Microsoft App Registration Portal (alternative method to register an app) :
/// https://apps.dev.microsoft.com
///
/// Microsoft Graph explorer (graph request tester) :
/// https://developer.microsoft.com/en-us/graph/graph-explorer
/// </summary>
class GraphApiHelper
{
// Client
GraphServiceClient GraphServiceClient = null;
// Tenant ID (directory ID)
private const string tenantId = "/*MY_TENANT_ID_FROM_AZURE_AD_PORTAL*/";
// App ID (client ID)
private const string appId = "/*MY_APP_ID_FROM_AZURE_AD_PORTAL*/";
// Secret ID (app password)
private const string appSecret = "/*MY_APP_SECRET_FROM_AZURE_AD_PORTAL*/";
public void Connexion()
{
string url = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token";
string @params = $"client_id={appId}&" +
"scope=User.Read&" +
$"client_secret={appSecret}&" +
"grant_type=client_credentials";
try
{
string accessToken = "";
string jsonStringResult = "";
AzureADResponse response = new AzureADResponse();
// Getting the access token from Azure AD
using (WebClient webClient = new WebClient())
{
webClient.Headers[HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";
jsonStringResult = webClient.UploadString(url, @params);
response = JsonConvert.DeserializeObject<AzureADResponse>(jsonStringResult);
// Set the access token
accessToken = response.access_token;
}
// Initialize the Microsoft Graph client
GraphServiceClient = new GraphServiceClient(new DelegateAuthenticationProvider((requestMessage) =>
{
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
return Task.FromResult(0);
}));
}
catch (Exception exception)
{
Console.WriteLine(exception.Message);
}
}
public List<SystemUser> GetSystemUserList()
{
Connexion();
return null;
}
}
}
我在尝试使用 System.Net.WebClient 执行 post 请求时遇到此错误:
string url = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token";
string @params = $"client_id={appId}&" +
"scope=User.Read&" +
$"client_secret={appSecret}&" +
"grant_type=client_credentials";
jsonStringResult = webClient.UploadString(url, @params);
The remote server returned an error: (400) Bad Request.
基于此来源:https://docs.microsoft.com/en-us/graph/auth-v2-service
我想收到这样的东西:
{
"token_type": "Bearer",
"expires_in": 3599,
"access_token":
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBP..."
}
我需要的是初始化 GraphServiceClient 的访问令牌。
知道为什么 Microsoft Azure 在此请求上失败了吗?
您应该遵循 juunas 的建议并使用像 ADAL 这样的库来为您完成这些工作。
如果您想自己调用来检索令牌,请首先通过测试来自 Postman 等工具的相同请求来验证问题是否出自您的代码,而不是您的应用程序注册。当您收到错误 400 时,可能是因为您的代码和您的请求格式不正确。
我不习惯使用 WebClient 进行 http 调用,所以我不知道出了什么问题,但我想说这可能与您处理参数的方式有关。如果我是你,我会使用 HttpClient,你可以找到一些在 Whosebug ().
中编码的形式 url 的查询示例
我正尝试在块管理器中从 Microsoft.Graph 实例化一个新的 GraphServiceClient 实例。
已经做了什么:
- 创建 ASP.NET Core 2.0 控制台应用程序
- 从 Nugget 添加 Micrososft.Graph
- 在 Azure AD 门户中注册应用程序以获取应用程序密码 ID(应用程序密码)和应用程序 ID(客户端 ID)
- 从 Azure AD 门户检索租户 ID(目录 ID)
基本上,这是我的 ASP.NET Core 2.0 项目(控制台应用程序)的全部代码:
using Microsoft.Graph;
using Models;
using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.Net;
using System.Net.Http.Headers;
using System.Threading.Tasks;
namespace SendADUserListEmail.Services
{
// Response object from Azure AD
public class AzureADResponse
{
public string token_type { get; set; }
public int expires_in { get; set; }
public string access_token { get; set; }
}
/// <summary>
/// Micrososf Graph vs Azure AD Graph :
/// https://blogs.msdn.microsoft.com/aadgraphteam/2016/07/08/microsoft-graph-or-azure-ad-graph/
///
/// Introduction to the Azure Active Directory Graph API :
/// https://www.red-gate.com/simple-talk/cloud/security-and-compliance/azure-active-directory-part-5-graph-api/
///
/// ULTIMATE TUTORIAL ABOUT MICROSOFT GRAPH APIS
/// https://bytescout.com/blog/microsoft-graph-apis.html
///
/// Startup !!! TO READ !!! :
/// https://github.com/microsoftgraph/msgraph-sdk-dotnet
///
/// Creating the application Client ID and Client Secret from Microsoft Azure new portal
/// - Register an application on Azure Portal :
/// - 1. Accèder au portail
/// - 2. Inscription d'application
/// - 3. Voir Paramètres > Propriétés
/// https://www.netiq.com/communities/cool-solutions/creating-application-client-id-client-secret-microsoft-azure-new-portal/
///
/// Microsoft App Registration Portal (alternative method to register an app) :
/// https://apps.dev.microsoft.com
///
/// Microsoft Graph explorer (graph request tester) :
/// https://developer.microsoft.com/en-us/graph/graph-explorer
/// </summary>
class GraphApiHelper
{
// Client
GraphServiceClient GraphServiceClient = null;
// Tenant ID (directory ID)
private const string tenantId = "/*MY_TENANT_ID_FROM_AZURE_AD_PORTAL*/";
// App ID (client ID)
private const string appId = "/*MY_APP_ID_FROM_AZURE_AD_PORTAL*/";
// Secret ID (app password)
private const string appSecret = "/*MY_APP_SECRET_FROM_AZURE_AD_PORTAL*/";
public void Connexion()
{
string url = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token";
string @params = $"client_id={appId}&" +
"scope=User.Read&" +
$"client_secret={appSecret}&" +
"grant_type=client_credentials";
try
{
string accessToken = "";
string jsonStringResult = "";
AzureADResponse response = new AzureADResponse();
// Getting the access token from Azure AD
using (WebClient webClient = new WebClient())
{
webClient.Headers[HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";
jsonStringResult = webClient.UploadString(url, @params);
response = JsonConvert.DeserializeObject<AzureADResponse>(jsonStringResult);
// Set the access token
accessToken = response.access_token;
}
// Initialize the Microsoft Graph client
GraphServiceClient = new GraphServiceClient(new DelegateAuthenticationProvider((requestMessage) =>
{
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
return Task.FromResult(0);
}));
}
catch (Exception exception)
{
Console.WriteLine(exception.Message);
}
}
public List<SystemUser> GetSystemUserList()
{
Connexion();
return null;
}
}
}
我在尝试使用 System.Net.WebClient 执行 post 请求时遇到此错误:
string url = $"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token";
string @params = $"client_id={appId}&" +
"scope=User.Read&" +
$"client_secret={appSecret}&" +
"grant_type=client_credentials";
jsonStringResult = webClient.UploadString(url, @params);
The remote server returned an error: (400) Bad Request.
基于此来源:https://docs.microsoft.com/en-us/graph/auth-v2-service 我想收到这样的东西:
{
"token_type": "Bearer",
"expires_in": 3599,
"access_token":
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBP..."
}
我需要的是初始化 GraphServiceClient 的访问令牌。
知道为什么 Microsoft Azure 在此请求上失败了吗?
您应该遵循 juunas 的建议并使用像 ADAL 这样的库来为您完成这些工作。
如果您想自己调用来检索令牌,请首先通过测试来自 Postman 等工具的相同请求来验证问题是否出自您的代码,而不是您的应用程序注册。当您收到错误 400 时,可能是因为您的代码和您的请求格式不正确。
我不习惯使用 WebClient 进行 http 调用,所以我不知道出了什么问题,但我想说这可能与您处理参数的方式有关。如果我是你,我会使用 HttpClient,你可以找到一些在 Whosebug ().
中编码的形式 url 的查询示例